Trojan infestation, antivirus tools not running

Hi, Help appreciated.
Dell Desktop (windows xp) infected with win32.sefbov.b and other malware. Initially MSE running but now blocked, icon disappeared. Tried to run combofix, but Smarrt Fortress 2012 appears to be blocking stating the exe is infected. Tried running Combofix in safe mode, same problem. I can mimise Smart Fortress but can't close it. Have downloaded a copy of OTLPENet.exe to see if I can get an operating system but getting in beyond my depth. I have also isolated the machine from the internet. Any help gladly appreciated. Oh and the data on the system is pretty vital too.
regards

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001

Okay, I'm not Broni but he would not have started you out like this. You appear to be following someone else's instructions. There is also a sticky telling you not to run Combofix on your own. So perhaps you can see why we tell everyone NOT to follow instructions given to someone else.
================================
Settings were changed on your computer so that when you launch an executable, a file ending with .exe, it will instead launch the infection rather than the desired program.

Please download FixNCR.reg and save it to a removable media such as a CD/DVD, external Drive, or USB flash drive.

Insert the removable device into the infected computer and open the folder the drive letter associated with it.(Usually C)

Double click the FixNCR.reg file

You should now be able to run the .exe files.

=======================================
I'd like to get some basics please. If you cannot connect to the internet to download the programs, please put the on a flash drive, then run on the problem computer.
================================
Please follow these steps: Preliminary Virus and Malware Removal.

NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

When you have finished, leave the logs for review in your next reply .NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
====================================The first scan, Malwarebytes, in our removal thread, will find and remove a great deal of the malware one the system. If you still have a problem running any of the scans-stop- and tell me what the problem is. Please do not try to work around it on your own.
======================================My Guidelines: please read and follow:

Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.

Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.

If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.

File sharing programs should be uninstalled or disabled during the cleaning process..

Observe these:
[o] Don't follow directions given to someone else
[o] Don't use any other cleaning programs or scans while I'm helping you.
[o] Don't use a Registry cleaner or make any changes in the Registry.
[o] Don't download and install new programs- except those I give you.

Thx, message received, patience required, sorry.
Something I wasn't quite clear on was whether I should continue using the REATOGO-X-PE operating environment or reboot back to windows. Having rebooted to windows XP, I double clicked the FixNCR.reg file but immediately got a message stating regedit.exe was infected and couldn't run. Smart Fortress 2012 then took over most of the screen. Wasn't sure if it was ok to run FixNCR.reg under the Reatogo-X-PE environment or not, can you advise please.

I am able to connect to the Internet, just turned it off to prevent the Trojan(s) uploading.

A black window should pop up, press any key to close once the fix is completed.

A log file called exehelperlog.txt will be created and should open at the end of the scan)

A copy of that log will also be saved in the directory where you ran exeHelper.com

Copy and paste the contents of exehelperlog.txt in your next reply.

Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).
==================================
Without rebooting, see if you can now run the 3 preliminary scans.

Haven't been able to get anything to run using safe mode, but rkill.scr did run using another user account on the Dell. Following instructions then ran exehelper, downloaded, updated and ran malwarebytes - lots of malware found. Checked everything and deleted, then ran Gmer and dds. Logs for Malwarebytes, Gmer are below, DDS logs in the following post.

You have been using FunWebProducts site and their partner sites to get screenvers, cursor, wallpaper, Smilies and other 'cute' things to put on the system.

Uninstall the My Web Search option from Add/Remove Programs

1) Click on Start, Settings, Control Panel
2) Double click on Add/Remove Programs
3) Find "My Web Search" in the list of installed programs and click on Change/Remove to uninstall it. You may also want to uninstall any of the following items associated with FunWebProducts.

============================================Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

Click START> then RUN

Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Before you run the Combofix scan, please disable any security software you have running.

Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]

Note: No query will be made if the Recovery Console is already on the system.

.Close/disable all anti virus and anti malware programs
(If you need help with this, please see HERE)

.Close any open browsers.

.Click on Yes, to continue scanning for malware

.If Combofix asks you to update the program, allow

When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer. Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
=======================================To run the Eset Online Virus Scan:
If you use Internet Explorer:

Open Eset Smart Installer
[o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
[o] Double click on the desktop icon to run.
[o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window

Continue with the directions.

Check 'Yes I accept terms of use.'

Click Start button

Accept any security warnings from your browser.

Uncheck 'Remove found threats'

Check 'Scan archives/

Leave remaining settings as is.

Press the Start button.

ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.

When the scan completes, press List of found threats

Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.

Push the Back button, then Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
=======================================First, set up a Directory for HijackThis as follows:
Right click Taskbar> Explore> My Computer> Local Drive (C)> File> New> Folder> Name folder HijackThis
Exit Explorer
You now have a folder C:\HijackThis
-----------------------------------------Download HijackThis and save to your desktop.

Click on the HJT icon> 'Extract all files'> Extraction Wizard> Click on Browse to right of dialogue box that says 'Select a folder'

Extract it to the directory on your hard drive you created C:\HijackThis.

Then navigate to that directory and double-click on the hijackthis.exe file.

When started click on the Scan button and then the Save Log button to create a log of your information.

The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad

Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.

Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Questions:
1.Why are you running both AutoLogin.exe and LogMeIn on Startup?
2. Are you aware that when a process is set to Global Startup that it will start up no matter who logs on?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: QuickBooks_Standard
3. Your start page is blackie.com. Is this intentional? Are you aware that it intentionally loads a black screen' to save energy'?
======================================
Let's try to send Smart Fortress 2012 packing: Everything following can be caused by the malware. Please try to complete all in the order I've given:

1. Boot into Safe Mode with Networking

Restart your computer and start pressing the F8 key on your keyboard.

Select the Safe Mode with Networking option when the Windows Advanced Options menu appears, and then press ENTER.

2. Please login as the user that is infected with Smart Fortress 2012.

Right-click on your browser> select Run As or Run as Administrator
[o]If Windows prompts you for the Administrator password, please enter for browser to launch.

On above page> click on the Download Renamed Version and save file to C:\ drive
[o]Note: If you can't log on as Administrator> put the download on a flash drive from a clean computer> hold there for now.

Once FixExec has been downloaded to your computer or is stored on a flash drive/CDROM, log off from the Administrator account, but stay in Safe Mode.

At the Safe Mode logon prompt> logon as your normal, but now infected, user.
[o]If FixExec is on a flash drive, connect to infected computer and copy to C:\folder on infected computer

4. Running the file

If Smart Fortress in running, minimize so desktop is visible

Navigate to C:\ and double click on FixExec,com to run
[o]Note: If you received a message that FixExec was not able to extract a file, then please move the FixExec.com file to your desktop and try again.

When completed, executables should run again.

5. Reset your browser Proxy

For Firefox:
o Open Firefox, click on "Tools" then "Options" and then on "Advanced".
o Click on the "Network" tab, and then on the "Settings" button.
o Please make sure that the "No Proxy" option is selected.

For Internet Explorer:
o Open Internet Explorer.
o Click on "Tools" and then select "Internet Options".
o Click on the "Connections" tab and click the "Lan Settings" button at the bottom.
o Uncheck "Use a Proxy server for your LAN".
o Click OK to close the Local Area Network (LAN) Settings window.
o Click OK to close the Internet Options window.

At the download page, click on Download now button for iExplore.exe download link and save to the desktop

Double click on the iExplore.exe icon
[o] Please be patient- it may take a bit.

The black Window will close when through and you can continue.

[o]Note: If you get a message that RKilll is malware, ignore it> it's from the malware.[/list]
=======================================Do not reboot your computer after running RKill as the malware programs will start again.
=======================================
7.Full Scan Mbam

Update and rescan with Malwarebytes: Note: On the Scanner tab, make sure the the Perform Full Scan option is selected and then click on the Scan button.
[o]When scan has finished, you will see this image:
[o]Click on OK to close box and continue.
[o]Click on the Show Results button.
[o]Click on the Remove Selected button to remove all the listed malware.
[o]At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.

====================================
Now reboot your computer back to normal mode.
===================================
This malware is frequently found on systems that don't have programs updated:Please update the following:Note: Check each download screen for any pre-checked Toolbars or BHOs. Uncheck them before the download.
Adobe Reader > Adobe Reader Update
Java(TM) > Java Updates . Uninstall any earlier versions in of both as they are vulnerabilities for the system.
=====================================
See how this goes. We'll continue when above has been done

Okay, so is it safe to say that Smart Fortress 2012 is no longer around?
---------------------------------------Please update the following:Note: Check each download screen for any pre-checked Toolbars or BHOs. Uncheck them before the download.
Adobe Reader> Current is vX(10.xx)> Adobe Reader Update
Java(TM) > Current is v6u31> Java Updates . Uninstall any earlier versions in of both as they are vulnerabilities for the system.
-----------------------------------------
The new Eset entry is in the Java cache. I have removed it with the script in Combofix
===========================================Please run this Custom CFScript:

[1]. Close any open browsers.
[2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:

Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.

Click the red Moveit! button.

A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.

Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
===========================================
Please be sure you update Java as instructed. The new entry in Eset is in the Java cache and that is usually because there is outdated Java on the system.
=========================================Please run this Custom CFScript:

[1]. Close any open browsers.
[2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
Since you have OTL on the desktop, please do a new scan with it and leave the log. I see many entries in the original scan you ran that I want to make sure are gone. The entries do not show in Combofix.

Okay, I removed a file and it came back, so you will need to submit it for identification:

Please go to VirSCAN.org FREE on-line scan service:
If busy, you can use one of the following: ( you only need one)VirusTotalJotti

[1]. Copy and paste the following file path into the Suspicious files to scan box on the top of the page.

Code:

c:\windows\system32\drivers\22892082.sys

[2]. At the upload site, click once inside the window next to Browse.
[3]. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
[4]. Click on the Upload button.
This will perform a scan across multiple different virus scanning engines.
Your file will possibly be entered into a queue which normally takes less than a minute to clear.Important: Wait for all of the scanning engines to complete.
[5]. Once the Scan is completed scroll down and click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
[6]. Paste the contents of the Clipboard in your next reply.

====================================
Oh my word! From OTM>>Total Files Cleaned = 2,809.00 - that is a lot of files!
====================================
I think you misunderstood- I didn't want you to run OTM again, after the above. You started the thread with OTL>> that's what I'd like you to repeat.